|
|
ITS 3250 - Securing Systems
Security Strategies in Windows...
Chapters 1 and 2
This lesson presents an introduction to Windows and threats. Objectives
important to this lesson:
- Windows and a typical infrastructure
- Windows threats and vulnerabilities
- Discovery, analysis, and remediation
- Common attacks
- Windows OS components
- System architecture
- Access controls
- Access rules, rights, and permissions
- Users and groups
- Attack surfaces and mitigation
- Security monitoring
Concepts:
Chapter 1
Our
text begins with a sensible reason for using defense in depth, the practice
of using multiple defense strategies. It is a good practice because complex
systems are unlikely to be protected by one solution. You are better off
with multiple defenses that won' t all be defeated by the same attack.
Chapter 1 reviews the standard computer system goal of protecting three
aspects of your systems.
- Confidentiality - information should only be accessible
to users who have been granted access to it for valid reasons. Only
authorized users can access data if it is protected properly, and if
authorized users do not violate security policy.
- Integrity - data may not be changed except by authorized
users or processes. This means that data must be protected from alteration,
deletion, or other changes to its intended form.
- Availability - authorized users can access data when
they need to do so. Availability includes the idea that proper access
methods are provided to only to authorized users, not to everyone.
This makes it unanimous. Those three ideas have been featured in all three
of my classes this term. In the image on the right, which I pulled from
a portion of Wikipedia, I added some color to make it more attractive. I
chose this one because it makes a point that the texts have not made. Each
of those services depends partly on the other two. You need all three for
a system to meet any of the CIA goals properly.
The text begins the first objective on page 7, We are reminded of the
workstation versions of Windows since XP: XP, Vista, Windows 7, and Windows
8. The text was apparently written before Windows 10, and the author ignores
Windows ME like everyone else does.
The list of server versions of Windows is similarly out of date, A more
complete list of both client and server versions can be found on this
Wikipedia page.
On page 10, the text begins a general discussion of Windows threats and
vulnerabilities. Both terms are defined. Threats are defined as
anything that could cause damage, disruption, or loss. Vulnerabilities
are defined as weaknesses, in this case in the Windows operating system
or associated software. Both terms should be familiar to you.
The text discusses three worms (malware programs that propagate
themselves to other computers) from the early 2000s:
- Code Red - Code Red was discovered in mid-2001. It targeted IIS servers,
servers running Microsoft Internet Information Services, the default
web server that comes with Windows Server editions. It had three phases:
- Place a message on web sites on the infected machine. The default
message is in the text.
- Like any worm, attempt to spread itself to other servers. Typically,
web servers pass information from one to another, so this was a
reasonable plan.
- After 20 to 27 days, the infected servers would launch Denial
of Service (DoS) attacks on specific other servers.
A more detailed discussion of this worm's features is available
here.
The text explains that Code Red worked by exploiting a buffer overflow
vulnerability, for which a patch had been available for about a month
before Code Red was found in the wild. The author observes that the
Code Red authors were probably instructed about this vulnerability by
the knowledge base article about the vulnerability that was published
with the patch. This is not unusual. Some organizations are slow to
apply security patches, which made the servers in those organizations
specifically vulnerable to the new worm. Lesson: patch before you are
victimized by a suddenly a new lesson for hackers. The text implies
that the infected servers would have been safe with the patch. Maybe.
See the next discussion.
- SQL Slammer - SQL Slammer appeared in January of 2003 and again
in 2016. The text mentions that it exploited another overflow vulnerability,
this time in SQL Server and in Desktop Engine database programs. This
means that is attacked servers and workstations. Once again, there was
a patch available for it, but this worm was more dangerous in that it
could send itself by UDP packets, which do not require a live connection
to the computer that is being attacked. It also used UDP packets in
large numbers during its propagation efforts, causing stress or malfunction
to occur to routers, effectively staging a DoS attack on the network
being infected.
- Conficker - The discussion of Conficker in the text is a bit less
enlightening than the other two discussions. It emerged in 2008, but
it continues to be around. This link goes to a 2018
update about Conficker from Microsoft. Note the long list of Windows
versions where it may be found. Take a look at this set
of pages from Symantec about it. The Technical Description tab displays
a page that is more enlightening about the worm's propagation and its
behavior.
The text presents a three step process that is typically followed when
any virus or worm is detected, which actually is the first step:
- Discovery - The text points out that an attack is almost always noticed
by the effects it causes. In the case of Code Red, the worm announces
its presence. They aren't often that polite. It is more likely that
the effects of the attacking code will be noticed by the changes made
in the behavior of the workstations, servers, and/or network devices.
- Analysis - Analysis begins with examination of the odd behavior that
was noticed, then continues with determination of its causes. The text
points out that frequent review of problems that have happened to other
users, typically those noted on antivirus web sites, can lead to better
analysis and immediate understanding of the problem.
- Remediation - Remediation is self explanatory, but the text presents
a formal method that will apply in general: contain the damage, recover
the lost services (which means to patch or do what is necessary), and
start using controls to prevent similar loss. Often, this means that
you need to apply the patches you should have applied, but it can also
mean to renew licenses, install monitoring software, or to stop using
a practice that exposes you to loss.
Chapter 2
This chapter begins with two observations, that an operating system
for computers is a coordinated collection of software, not just one file
or program, and that a control is anything we use to address the
goals of information security. So, before addressing controls for particular
parts of the Windows operating system, the text reviews several important
part of it, starting with the kernel.
The kernel is the name given to the most necessary part of most
operating systems (e.g. Windows, Linus, Apple OS). In Windows, parts of
the kernel are loaded into the working memory of any computer running
it, and other parts are left in nonvolatile storage until there is a need
to load them. The kernel provides basic access to hardware, calls other
portions of itself (as needed) and runs other parts of the operating system,
including drivers that have been installed for particular hardware. The
text mentions that some operating systems use a microkernel, a
smaller than usual version of the kernel, that calls more external programs
than the usual kernel has to call.
Page 23 lists five major services performed by an operating system. These
services may also be performed by applications for their own needs, but
they belong with the operating system first.
- program/process management - This includes allocating memory for programs,
loading them and unloading them, and scheduling CPU cycles for them.
- input and output - This handles the basic requirement to receive input
for the operating system (and all programs) and to handle the various
forms of output that may be needed.
- file system - Although many systems consider objects in memory to
be files, this refers to reading, writing, and organizing data on long
term storage devices.
- communication - This refers to communication that must take place
between programs and with portions of the operating system, not to communication
with other systems or devices.
- error detection and alerts - This is about watching for unexpected
events when programs, and the operating system, run. Errors are typically
reported as screen messages to the user.
You should know that some programs rely totally on these services in
the operating system, as opposed to having functions to handle these services
themselves.
On page 24, the text tells us that current versions of Windows work with
a microkernel that calls other parts of the OS that run in kernel mode.
Aside from that distinction not being immediately explained, the text
tells us that this is not usually done in other OSs that run with a microkernel.
Windows does it to provide a more modular approach, allowing essential
parts of the kernel to be updated without having to always update the
microkernel itself.
Explaining the phrase "kernel mode", the text tells us that
programs running on Windows system can run in one of two modes; Kernel
mode is a mode with more privileges, and only meant to be used
by OS components that are called by the kernel, which always runs
in this mode. Kernel mode allows privileged access to the hardware
of the computer. User mode is how most programs are meant to operate,
passing their hardware requests through the kernel mode programs. This
is illustrated in the figure on page 25. In the image below, from Wikipedia,
a bit more detail is shown. You can click the image below to visit the
Wikipedia discussion of this material, which is also more detailed.

Both images and discussions tell us that if an attacker can get his/her
code to run in kernel mode, that code can do whatever the attacker wants
to do with the system and its hardware.
The charts on page 26 describe the functions of two user mode components
and four kernel mode components. (In the image above, you can see that
each of the components covered in the text can have components of its
own.) The information below is taken from the
same page in Wikipedia.
Mode |
Component |
Description |
User |
Integral subsystem |
The integral subsystem deals with security tokens,
grants or denies access to user accounts based on resource permissions,
handles login requests and initiates login authentication, and determines
which system resources need to be audited by Windows. |
User |
Environment subsystem |
The interface between user mode applications and
operating system kernel functions is called an environment subsystem.
None of the environment subsystems can directly access hardware; access
to hardware functions is done by calling into kernel mode routines.
|
Kernel |
Executive |
The Windows Executive services make up the low-level
kernel-mode portion, and are contained in the file NTOSKRNL.EXE. It
deals with I/O, object management, security and process management. |
Kernel |
Kernel mode drivers |
Kernel-mode device drivers enable the kernel to
interact with hardware devices. All devices are seen by user mode
code as a file object in the I/O manager, though to the I/O manager
itself the devices are seen as device objects, which it defines as
either file, device, or driver objects. |
Kernel |
Microkernel |
This is the portion of the kernel that is loaded
when the system boots. It calls other components when needed. It provides
CPU access, process scheduling, exception handling, and more. |
Kernel |
Hardware abstraction layer (HAL) |
HAL is a layer between the physical hardware of
the computer and the rest of the operating system. It was designed
to hide differences in hardware and provide a consistent platform
on which the kernel is run. The HAL includes hardware-specific code
that controls I/O interfaces, interrupt controllers and multiple processors.
It is matched with the kernel itself, and must be updated if the kernel
is updated. |
The text moves on to discuss three important, related mechanisms. Identification
takes place when a user tells a system who they are, typically
by entering a recognized user ID. Authentication takes place
when a user proves they are the person that a user ID stands for,
typically by entering the password linked to that ID. Access
control is the process of allowing or denying access to assets based
on the permissions that have been granted to the ID for which the user
has authenticated. Access control is done by the system. Permissions must
have already been set up for the ID by someone with permission to do so,
or the access control will not have any effect.
The text lists three types of authentication on page 28. They
are classic methods.
- Type I - something you know, such as a password
- Type II - something you have, such as using an RSA
token with a display that changes once a minute, and the token
(code) on the display must be entered as part of your authentication
- Type III - something you are, such as a biometric characteristic like
a fingerprint or a retinal scan
The text does not mention other more recent additions to authentication
methods:
- something you do, such as moving your finger in a specific pattern
on a touch screen
- email or text code, such as changing a forgotten password for an
online account, by following a link the service send you and entering
a one time, short lived code
- There are more methods listed in this article
from Network World.
The text introduces the idea that access control applies to programs
and processes on a system as well as to users. Whether a requester
is a user or some process, that requester is called a subject by
the access control system. The resource that the subject is attempting
to access is called the object of the request.
The text lists three types of access control models, each of which has
a different approach to using ACLs (Access Control Lists).
- Discretionary Access Control
(DAC) - Rights that are granted to a subject under this system may be
granted by that subject to other subjects in the system. This means
that the owner of an object
can assign rights to other subjects (users) without needing the intervention
of an administrator.
- Mandatory Access Control (MAC)
- In this one, there is more restriction. Objects are assigned to security
classes, and subjects (users) are assigned security
clearance levels. The result is that a user who has a clearance,
for example, only for Confidential (and below) information cannot be
assigned rights to an object classified as Secret or Top Secret.
- Role-based Access Control
(RBAC) - Roles are like groups. Users can be assigned to either and
rights can be inherited from the group or role by the user. A user
can be assigned to multiple roles. In this system:
- that subjects must be assigned
to roles or they will have
no rights,
- that the role a subject
is assigned to must be allowed
(authorized) for the subject, which is not usually done with groups,
- and that transactions must
be authorized for the role
a subject is in, else the subject cannot perform them.
On page 29, the text describes using the Users and Groups utility in
Computer Management, which it forgets to mention is only found in servers,
not on workstations. In the illustration on page 30, you see the utility
running, displaying local groups that have been defined on the system
being used.
We are told (reminded?) that each local user and group has a unique Security
Identifier (SID). Five objects having well known (default) SIDs are
listed:
- Null SID - a group with no members, used by default when an SID for
an object is not known
- World - a group that includes all users in a system
- Local - a group that holds all users logged in to the system with
a local terminal
- Creator Owner ID - a placeholder that is replaced by the actual user
ID of a user who creates an object
- Creator Group ID - a placeholder that is replaced by the actual primary
group of a user who creates an object (see above)
The text explains that a user's access rights will be the sum of personal
rights and the rights assigned to the groups a user belongs to. The text
wanders in the weeds, teaching us some Microsoft operational definitions
for words that are treated as synonyms in English. Unfortunately, these
words are defined by different texts and different
web posters in different ways. This is what your book says:
- rights - tasks that a user can perform on system objects are
rights; example are manage and shut down
- permissions - typically, permissions refer to rights to files
and folders in a system; example permissions are read, write, execute,
and delete
It is important to know that every object in a Windows environment (and
in an Active Directory environment) has a property called an Access
Control List, an ACL. This is a list of users and groups
who have been granted or denied specific kinds of access to that
object.
The text briefly discusses Workgroups, which Microsoft recommend
not using if your local network has more than ten users. More useful information
picks up on page 32, with the discussion of Active Directory, the
database of network objects that is used in practically all Windows networks.
We are warned that using Active Directory requires more processing power
for the servers that maintain it. The text tells us that security is increased
on systems using Active Directory due to each user ID being unique in
the entire system. This is not true for old style networks that allowed
each server to have its own local users, each of whom would have a different
SID.
After
vamping for several sentences, the text tells us on page 33 that the
collection of all possible vulnerabilities that could provide
unauthorized access to computer resources" is called an attack surface.
Each resource can be said to have its own attack surface. As noted elsewhere,
the text recommends a multilayered defense, installing more than one kind
of protection for each asset. One kind of protection is to minimize the
rights that are granted to users for objects in the system. The text also
mentions that servers should be configured to only offer the services
that are needed from them, not the full spectrum of services that a server
might provide. For instance, disabling IIS on a server will prevent an
attacker from running an exploit on IIS on that server. The text recommends
using Server Manager to implement and run only the services that your
network needs. Removing unnecessary services is a standard part of hardening
a server, making it more difficult to attack.
When a service is needed, the server providing it can still be hardened
in other ways. The text mentions two on page 34: removing vulnerabilities
with patches and updates, and preventing attacks on existing
vulnerabilities with multiple layers of controls. It should be
a standard maintenance concern to do both for all appropriate devices
on your network.
The text reminds us to consider security for a system at three particular
times, which it refers to as milestones.
- Installation of the operating system or applications
- Monitoring the operation of the system
- Making configuration changes to the system
The text admits that monitoring is not so much an event as a regular
task, but checking security should be part of it.
|